Feds shut down massive "Darkode" hacker marketplace

Investigators shut down an online marketplace where cybercriminals bought and sold hacked databases, malicious software and other products that could cripple or steal information from computer systems, the Justice Department announced Wednesday.

More than 70 cybercriminals in the United States and 19 other countries are targets of the investigation, authorities said. Some of them have been charged, while others were the subject of search warrants because some countries require evidence to be seized before criminal charges can be filed, investigators said.

U.S. Attorney David Hickton and other federal investigators revealed the 18-month undercover inquiry in Pittsburgh. The city is home to a large FBI cybercriminal squad and the National Cyber-Forensics & Training Alliance - a public-private nonprofit that aims to defeat cybercriminals. Pennsylvania's Western District has been aggressive in pursing major international cybercrime cases, an effort that led to the high-profile indictments in 2014 of five military hackers working for the Chinese government.

The site targeted in the current shutdown, called Darkode, was the largest-known English-language malware forum in the world, authorities said.

"Of the roughly 800 criminal internet forums worldwide, Darkode represented one of the gravest threats to the integrity of data on computers in the United States and around the world and was the most sophisticated English-speaking forum for criminal computer hackers in the world," said Hickton.

On the forum, hackers sold malware or solicited others to install it on unsuspecting victims' computers, investigators said. Marketplace members also bought and sold stolen databases - some containing millions of people's email addresses or personal information - often used in identity-theft and computer fraud schemes.

Hackers couldn't just log onto the site. They had to be vouched for or nominated by current members to be able to buy, sell or solicit illegal wares or services on the site, authorities said.

The site, which had roughly 250 to 300 active members, was seized and shut down by authorities Tuesday as most of the arrests were being made and search warrants were being executed.

According to cybersecurity experts, arrests of particular actors could be much more impactful within the hacking community than the takedown of the site, as widespread and influential as it is.

"If you view this action as a shutdown of one online forum, of course it won't make a dent. Not only are these things backed up as a matter of course, they're also incredibly easy to spin back up in another location," cyberwarfare advisor David Gewirtz told CBS News.

"But if a detailed review of the 'take' by DOJ investigators reveals leads as to identities, or potential evidence that can enable authorities to lock up some of the worst perpetrators, that can make a difference. While hacking has moved beyond individual activists (like most Darkode users) to organized actors, there are still some linchpin players who are high value because of their skills, knowledge, or influence."

"So, if DOJ can take some of these individuals out of play, that will make a dent," he added.

But other threats and information marketed through Darkode have far more sinister implications.

The advertised products included personal information from customers who participated in an automobile auction, personal information of 39,000 people from a database of Social Security numbers and 20 million emails and usernames that could be used to target people for identity theft, phishing emails or other schemes.

Those arrested or searched live in the United States, United Kingdom, Australia, Bosniz-Herzegovina, Brazil, Canada, Colombia, Costa Rica, Croatia, Cyprus, Denmark, Finland, Germany, Israel, Latvia, Macedonia, Nigeria, Romania, Serbia and Sweden. There are victims in all of those countries, and others, authorities said.

One of the hackers charged was Pittsburgh resident Morgan Culbertson. Culbertson, who interned for security firm FireEye, was charged with conspiring to send malicious code. He is accused of designing Dendroid, a coded malware intended to remotely access, control, and steal data from Google Android cellphones, according to the justice department.

In a statement, FireEye said, "On Wednesday, July 15, 2015, FireEye learned that an intern, Morgan Culbertson, was charged by the U.S. Department of Justice in their global takedown effort of the Darkode hacking forum. Mr. Culbertson's internship has been suspended pending an internal review of his activities. As there are ongoing investigations by external parties and FireEye, we cannot provide any further comment on Mr. Culbertson and his activities."

A 27-year-old Swedish hacker named Johan Anders Gudmunds was indicted for conspiracy to commit computer fraud, conspiracy to commit wire fraud, and conspiracy to commit money laundering. Accused of serving as the administrator of Darkode, Gudmunds also allegedly operated his own botnet, which he used to steal data from the users of 50,000 computers on approximately 200,000,000 occasions.

Charges were made in three states and Washington, D.C., against defendants from the U.S. and other countries for the sale on Darkode of stolen credit card numbers, spam schemes and other alleged malicious activities.

Christopher Hadnagy, CEO of Social Engineer, a white hat firm that companies hire to find vulnerabilities in their networks, applauded the DOJ's effort, but questioned the long-term effects. "I do consider it a win, but I don't think it will end the fight," he said. "Taking down one forum, although a good thing, it's really not going to stop them."

He added, "We used to say we were always a step behind the bad guys but I think it's more like five or six steps."

Charles Tendell, CEO of Hackerslist, a hacking-for-hire marketplace, considered the move symbolic more than anything. "It's not enough to actually stop malicious hackers. This will simply drive them further underground," he told CBS News. "Yes, it's a feather in the DOJ's cap but will have little to no impact on malicious users."